Show process limiting access by not inheriting all parent's
capabilities

Revocation: use of a global descriptor table

Lock and Key

a. Associate with each object a lock; associate with each
process that has access to object a key (it's a cross between ACLs and
C-Lists)

b. Example: use crypto (Gifford). X object enciphered with key K.
Associate an opener R with X. Then:
OR-Access: K can be recovered with any Di in a list of n
deciphering transformations, soR = (E1(K), E2(K), ..., En(K))
and any process with access to any of the Dis can access the file
AND-Access: need all n deciphering functions to get K:
R = E1(E2(...En(K)...))

Your UNIX system has been attacked. The uucp entry in your /etc/passwd
file has a UID of 0. You have run ps to see if any unusual processes
were executing. None were. You ran ls to find any unusual files or
directories. None were reported. You ran du to determine if the size of
any file system was unusually large (indicating hidden files). Nope.

You suspect that someone has, somehow, hidden files (or directories) and
an executing process. You decide to start at the /dev directory, to see
if they created any new device files. Again, an ls lists only those
files you expect to see. But you are still suspicious, and want to
confirm the results.

What would you do?

You still suspect that the attacker left an illicit process executing.
But ps showed nothing. How would you confirm or refute your suspicion?